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§ ; ABSTRACT 

We present a non-deterministic polynomial-time algorithm to find a path of length O (log p log log p) 
between any two vertices of the Cayley graph of SL 2 (F P ). 
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It is well known that SL 2 (F p ) is generated by ( n 1 ) and ( j ^ ). It is a much 



deeper theorem [6] that the Cayley diameter of this group with respect to these generators is 

0(logp). There are two known proofs. One depends on uniformly bounding the eigenvalues 

of the Laplacian on Lq(X(p)) away from zero [6]. The other uses the circle method to 

show that any element of SL 2 (Fp) lifts to an element of SL 2 (Z) which has a short word 

>• \ representation [7]. Neither method is constructive. A. Lubotzky asked [6] for an efficient 
[~ — , 

algorithm to find short word representations of general elements of SL 2 (F p ). In this note 
we give such an algorithm, but for word representations of length 0(logp log logp) rather 
^ ■ than O(logp). More precisely, we prove 
O 

Theorem 1: There exist constants c\ and c 2 such that for any C3 < 1, there exists C4 such 
that for any prime p and any element of SL2(F P ), the algorithm will find a word of length 

S ■ < c\ logploglogp in time < C4iog C2 p with probability > C3. 

> 

Consider first the basic strategy of lifting a G SL^Fp) to a G SL2(Z) and then using 
Euclid's algorithm to represent a. The trouble is that we must use the subtractive 
Euclidean algorithm. That is, we have to pay for each operation of subtracting one row 
from another, so the performance of the algorithm is worse than that of the usual Euclidean 
algorithm (and harder to analyze as well). In terms of continued fractions, cost is the sum 
of the partial quotients instead of their number. A heuristic argument suggests a median 
word length of 0(log iV log log N) for a matrix with entries in [— N, N]. By contrast, by 
a result of D. Knuth and A. Yao [4], the mean word length is 0(log 2 N). The difference 
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between median and mean is due to the fact that a few matrices require very long words. 
In particular, the word length is guaranteed to be large if the largest matrix entry is much 
larger in absolute value than the smallest. The obvious ways of lifting to SL 2 (Z) nearly 
always produce such unbalanced matrices. For example, if we lift the entries of the first 
row to elements of [0,p — 1] and then lift the remaining entries to integers of minimal 
absolute value, they will typically be of order 0(p 2 ). 

To avoid this difficulty, we turn the problem around and ask for elements of SL 2 (Z) 
which can be represented by short words in our generators. Let a and d denote integers 
between 1 and p with mutually inverse reductions (mod p). Set c = p, so b = (ad — l)/p- 
For most choices of a, a/p has a continued fraction expansion with partial quotient sum 
O(logploglogp). To show this, one must justify the heuristic estimate mentioned above 
for the sum of the partial quotients of a random fraction of fixed demominator p. We do 
this by an elementary argument suggested by the circle method. 

In the above construction, b and d are determined by a. To eliminate the dependence 
on 6, we use the identity 

fa b\ (I 1\ (a by 1 = (I a 2 \ 
\0 d) \0 l) \0 d) \0 1 J' 

This provides a large number of unitriangular matrices with word representations of length 
O(logploglogp), from which one can easily construct all elements of SL2(F P ). 

It may be worth noting that the analogous problem for SU(2) has recently been solved: 
given a fixed finite set of topological generators, to approximate a given a G SU(2) with 
error e by a word of polylog length in polylog time. A solution using iterated commutators 
was discovered independently by R. Solovay and A. Kitaev [1] App. 3. 

I would like to acknowledge the hospitality of the Hebrew University where this work 
was done. Peter Sarnak first called my attention to the problem of efficiently constructing 
short word representations for SL2(F P ). He also made a number of helpful comments on 
an earlier version of this paper. I enjoyed a number of stimulating conversations with Alex 
Lubotzky on this problem. It gives me great pleasure to thank them both. 

We begin with a careful analysis of the performance of the subtractive Euclidean algo- 
rithm. For terminology, notation, and basic facts related to continued fraction expansions, 
we refer to [2] and [3]. 

Definition 2: An element ^ ^ o/SL 2 (Z) is left-dominated ifa,b,c,d > and 
a + c > b + d. 
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Lemma 3: If ^ is left- dominated, then a > b. Moreover, unless it is the identity 

matrix, c> d. 

Proof: If a < 6, then d < c, which is impossible, since the matrix entries are non-negative 
and the determinant is 1. Similarly, if c < d, then b < a, so be < ad — 1, with equality if 
and only if b = c = 0. □ 

Lemma 4: // ^\ is a left- dominated matrix other than the identity, then if a < c, the 

matrix ^ c ° a ^ ^ is left- dominated; otherwise c ° ^ d^^J * 5 left- dominated. 

Proof: All that remains to be shown is that the entries of the specified matrix are non- 
negative. If a < c, unimodularity implies d > b. If a > c and d > 6, unimodularity implies 
that ^ ^ ^ ^ j s the identity. □ 

This lemma shows that the elementary row operations needed to reduce a left-dominated 
matrix to the identity can be chosen without reference to the right column. It therefore 
motivates the definition of a function S : N x N — > N as follows: 

if c = 0, 

S(a, c) = { S(a - c, c) + 1 if a > c> 0, 
S(a,c-a) + l if c > a > 0. 

We have immediately from this definition the following lemma: 

Lemma 5: Any left- dominated matrix ^ can be written as a word of length S(a, c) 

( 1 1 \ ( 1 

in the letters I ^ J and I ^ ^ 

Every positive rational number has exactly two continued fraction expansions: 

- = [ko, fci, . . . , fe n ] = [fco, fci, . . . , k n - 1, 1]. 

c 

Therefore, we may define T(a/c) to be the sum of the partial quotients appearing in a 
continued fraction expansion of a/c. 

Lemma 6: If a and c are relatively prime positive integers, T(a/c) = S(a,c). 

Proof: Immediate by induction. □ 

Our object will be to show that for any fixed prime p there exist many positive integers 
a < p such that S(a,p) is not much greater than logploglogp. To do this, it will be 
convenient to break up T(a/p) into pieces corresponding to individual partial quotients. 
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We therefore define T d (a/p) to be equal to ki if the denominator of [ko, k\, . . . , h-i] is d 
for some z < n; to be 1 if d is the denominator of [ko, ki, . . . , k n — 1]; and otherwise to be 
0. Thus T d (a/p) > if and only if some fraction with denominator d is a convergent of 
a /p. Moreover, 

oo p— 1 

J2 T d(a/p) = Y, T d(a/p) = T(a/p) + 1. 
d=i d=i 

The key proposition is as follows: 

Proposition 7: For all e > 0, there exists a constant C such that for all primes p, 

\{a E [l,p- 1] HN : S(a,p) < Clogploglogp}) > _^ 

p- 1 



Proq/; Let X = [l,p- 1] D N. For 5 G (0, 1) and d G N we define the "major arc" Y d (S) 
(really a union of major arcs) to be the subset of X consisting of a such that 



inf 



a b 
p d 



< 



d 2 



For d>p, Y d (5) is empty. Every d < p is relatively prime to p, so there is at most one way 
to represent a given integer as ad — bp, a G X, b G Z, (and no way to represent 0). Thus, 

2p5 



\Y d (S)\ < 



d 



We define 



so 



X(6) = X\{jY d (6), 



d=i 



\X(8)\ >p-l-p[2<yj^l/d] > -l+p(l-2<5(logp+l)) > -l+p(l-6<yiogp). 



d=l 

On the other hand, the "minor arc" contribution satisfies 

£ T(o/p)< ^ £r d (a/p). 

a6X(5) a6X(5)d=l 

If Pi/qi denotes the ith convergent of a/p, then 



Pi _ a 
9* P 



< 



2 ' 



In particular, unless \bp — ad\ < p/d, b/d cannot be a convergent of a /p. Thus, 

a6X((5) ee[p5/d,p/d]nN 

Summing over d, 

T ( a /P) < ^ P ~ 2 ^ -21ogt?(logp+l)p. 

a£X(i) 

Setting 5 = jrfL-, we get \X(6)\ > (1 - e/2)p - 1 and 

T(a/p) < 2plogploglogp + o(plogploglogp). 

aeX(<5) 

Choosing C sufficiently large, the number of elements a in X(S) with 

T(a/p) > Clogploglogp 

is less than ep/2. Thus, the number of elements in X with T(a/p) > Clogploglogp is at 
most ep. □ 
We can now prove the main theorem: 

Proof: Setting e to be any constant less than 1/16, we define C as above. As the number 
of points on a nonsingular affine conic over ¥ p is at least p — 1 and at most p + 1, for any 
y G F p , there are p/4 + 0(1) representations of y as a sum of quadratic residues x\ and 
X2- We write ai for the representative of ^fxl in [l,p/2]. The number of choices of x\ for 
which 

sup T(di/p) > Clogploglogp 

i 

is at most 4ep, so that if an element x\ of ¥ p is chosen at random, the probability is at 
least 1/4 — 2e > that x\ is a square, S(ai,p) < Clogploglogp, and the same things are 
true for X2 = y — x\ and the unique integer ai G [l,p/2] such that o\ reduces to xi- Define 
di to be the integer in [l,p— 1] which reduces to the inverse of the reduction of a^, and set 
bi = (ciidi - 1)/ p. Thus, 

a\ bi \ ( 1 1 \ / a\ b\ \ 1 / a 2 b 2 \ ( 1 \\ ( a,2 62 X 



d x ) \§ iyv° rf iy v° d 2/\° 1 y V rf 2 

can be written as a word of length at most AC log p log \ogp + 2, and its (mod p) reduction 

'1 V 
1 



is 
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For square roots, we use Shanks's algorithm ([8], [5]), which is probabilistic and poly- 
logarithm. Note that one has a deterministic square root algorithm when p = 3 (mod 4), 
but nevertheless, our algorithm remains nondeterministic since it depends on how many 
tries are needed before we find a good x\. 

Applying transpose, we can likewise find words of length O (log p log log p) for lower 
unitriangular matrices. Since every matrix which is not upper triangular can be written 

(I yi \ f 1 0\ (I y 3 
\0 1 J \y 2 lj \0 1 

every matrix in SL 2 (F p ) can be written as a product of at most four upper or lower 
unitriangular matrices. Therefore, for every constant C4 < (1/4) 4 , we can find c±, C2, 
and C3 satisfying the conditions of the theorem. To deal with C4 > 4 -4 , we use repeated 
independent trials of the algorithm. 

□ 
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